Generally, state security breach notification laws require that organizations that collect, own or license personal information about a state's residents notify these individuals and, in some cases, other entities, such as consumer reporting and law enforcement agencies when unencrypted personal information has been lost or compromised.

Download this free guide

What should be in a CIO’s IT strategic plan?

This complimentary document comprehensively details the elements of a strategic IT plan that are common across the board – from identifying technology gaps and risks to allocating IT resources and capabilities. The SearchCIO.com team has compiled its most effective, most objective, most valued feedback into this single document that’s guaranteed to help you better select, manage, and track IT projects for superior service delivery.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Since my column was published, the Privacy Rights Clearinghouse (www.privacyrights.org) reported no fewer than 65 incidents of lost or compromised personal information in the U.S. affecting more than 3.5 million people. In December 2006, the Privacy Rights Clearinghouse also reported that security breaches had resulted in 100 million records being lost or compromised.

Federal Efforts to Pass Legislation

Over the past several years, Congress has engaged in a bipartisan effort to address security breaches. By the end of 2006, several pending bills would have created more stringent notification requirements, such as eliminating the encryption safe harbor that provides an exception from compliance with the state law if an organization encrypted the lost or compromised data, and expanding the Federal Trade Commission to include an Office of Identity Theft.

The new 110th Congress appears to be picking up where the last session of Congress left off with this legislation. Sen. Dianne Feinstein of California has already introduced the Notification of Risk to Personal Data Act, a bill requiring federal agencies and persons that are engaged in interstate commerce in possession of personally identifiable information to disclose any breach of such data.

Like several state security breach notification laws, the bill would require that business entities (and the federal government) notify individuals without unreasonable delay when there has been a security breach involving personal data. The bill also sets forth more stringent notification requirements, such as eliminating the encryption safe harbor and creating additional law enforcement notification requirements.

To Pre-empt or Not to Pre-empt?

If you're an IT executive, you may soon need to understand and comply with a federal security breach notification law. One of the most critical issues for your company -- and paradoxically one of the least-noted provisions -- is the impact of federal security breach notification requirements on state laws. If the Notification of Risk to Personal Data Act becomes law, it would effectively pre-empt state laws. Such a uniform approach would make compliance with the notification requirements easier and less costly.

But it doesn't end there. Congress has frequently amended its approach to pre-emption at the last minute, which could result in states being allowed to enforce laws that are more stringent than the federal law. If Congress pre-empts the act, your company would be required to comply with the federal law and each of the more stringent state laws, adding another layer of complexity to an already confusing, time-consuming and costly process.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy